Revision 17f6c75c
Added by Serghei Mihai almost 10 years ago
control | ||
---|---|---|
20 | 20 |
Architecture: all |
21 | 21 |
Depends: ${misc:Depends}, |
22 | 22 |
python-uauth (= ${binary:Version}), |
23 |
gunicorn, slapd, freeradius-ldap |
|
23 |
gunicorn, slapd, freeradius-ldap, |
|
24 |
ldapvi |
|
24 | 25 |
Recommends: nginx, postgresql |
25 | 26 |
Description: Captive potail in the Cloud |
lib/reset-slapd | ||
---|---|---|
1 |
#!/bin/sh |
|
2 |
# initial configuration of slapd |
|
3 |
|
|
4 |
set -e |
|
5 |
|
|
6 |
LDIFDIR=/usr/share/u-auth |
|
7 |
SERVICE="/usr/sbin/service slapd" |
|
8 |
|
|
9 |
echo "" |
|
10 |
echo " *************" |
|
11 |
echo " * * La configuration et toutes les données" |
|
12 |
echo " * ATTENTION * de l'annuaire LDAP vont être définitivement" |
|
13 |
echo " * * effacées. Avez-vous fait un backup ?" |
|
14 |
echo " *************" |
|
15 |
|
|
16 |
echo "" |
|
17 |
echo "Confirmez la MISE A ZÉRO COMPLÈTE de l'annuaire LDAP." |
|
18 |
echo "" |
|
19 |
echo -n "Tapez oui en toutes lettres : " |
|
20 |
read ok |
|
21 |
if [ "x$ok" != "xoui" ]; then |
|
22 |
exit 3 |
|
23 |
fi |
|
24 |
|
|
25 |
${SERVICE} stop || true |
|
26 |
|
|
27 |
|
|
28 |
BACKUPDIR="/var/backup/reset-ldap-`date +%Y%m%dT%H:%M:%S`" |
|
29 |
mkdir -p "$BACKUPDIR" |
|
30 |
echo Old configuration saved in $BACKUPDIR |
|
31 |
cp -R /var/lib/ldap /etc/ldap/slapd.d/ "$BACKUPDIR" |
|
32 |
|
|
33 |
echo -n "Effacement de la configuration" |
|
34 |
rm -rf /etc/ldap/slapd.d/* |
|
35 |
echo -n " et des données .." |
|
36 |
rm -rf /var/lib/ldap/* |
|
37 |
echo "ok" |
|
38 |
|
|
39 |
if ! grep "^\s*profile\s\+config\s*$" /etc/ldapvi.conf > /dev/null 2>&1; then |
|
40 |
echo "(ajout du 'profile config' dans /etc/ldapvi.conf)" |
|
41 |
cat << EOLDAPVI >> /etc/ldapvi.conf |
|
42 |
|
|
43 |
profile config |
|
44 |
host: ldapi:// |
|
45 |
sasl-mech: EXTERNAL |
|
46 |
base: cn=config |
|
47 |
|
|
48 |
EOLDAPVI |
|
49 |
fi |
|
50 |
|
|
51 |
|
|
52 |
|
|
53 |
mkdir /var/lib/ldap/config-accesslog/ |
|
54 |
|
|
55 |
echo "Installation de la nouvelle configuration .. " |
|
56 |
slapadd -n0 -F/etc/ldap/slapd.d -l${LDIFDIR}/config.ldif |
|
57 |
echo "ok" |
|
58 |
|
|
59 |
echo "Installation des schémas .. " |
|
60 |
slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/core.ldif |
|
61 |
slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/cosine.ldif |
|
62 |
slapadd -n0 -F/etc/ldap/slapd.d -l/etc/ldap/schema/inetorgperson.ldif |
|
63 |
echo "ok" |
|
64 |
|
|
65 |
chown -R openldap:openldap /etc/ldap/slapd.d /var/lib/ldap |
|
66 |
|
|
67 |
if [ ! -s /etc/ldap/ssl/slapd.pem -o ! -s /etc/ldap/ssl/slapd.key ]; then |
|
68 |
echo "Pose de certificats SSL par défaut (invalides)" |
|
69 |
mkdir -p /etc/ldap/ssl |
|
70 |
cp -v ${LDIFDIR}/ssl.pem /etc/ldap/ssl/slapd.pem |
|
71 |
cp -v ${LDIFDIR}/ssl.key /etc/ldap/ssl/slapd.key |
|
72 |
chown -R root:openldap /etc/ldap/ssl |
|
73 |
chmod 0755 /etc/ldap/ssl |
|
74 |
chmod 0644 /etc/ldap/ssl/slapd.pem |
|
75 |
chmod 0640 /etc/ldap/ssl/slapd.key |
|
76 |
echo "ok" |
|
77 |
fi |
|
78 |
|
|
79 |
${SERVICE} start |
|
80 |
|
lib/reset-slapd.help | ||
---|---|---|
1 |
mise à zéro complète |
|
2 |
|
|
3 |
Attention, cela efface complétement la configuration et |
|
4 |
les données actuelles du serveur LDAP (slapd). |
lib/setup-radius | ||
---|---|---|
1 |
#!/bin/sh |
|
2 |
# Do initial configuration of freeradius |
|
3 |
|
|
4 |
set -e |
|
5 |
|
|
6 |
CONF_DIR = '/etc/freeradius' |
|
7 |
BASEDIR=`dirname $0` |
|
8 |
|
|
9 |
service freeradius stop |
|
10 |
|
|
11 |
cp "$CONF_DIR/sites-available/default" "$CONF_DIR/sites-available/default.backup" |
|
12 |
cp "$BASEDIR/radius-default.conf" "$CONF_DIR/sites-available/default" |
|
13 |
|
|
14 |
service freeradius start |
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
lib/setup-radius.help | ||
---|---|---|
1 |
activation et parametrage du module ldap dans radius |
lib/setup-slapd | ||
---|---|---|
1 |
#!/bin/sh |
|
2 |
# Do initial configuration of slapd |
|
3 |
|
|
4 |
set -e |
|
5 |
|
|
6 |
LDIFDIR=/usr/share/u-auth |
|
7 |
|
|
8 |
BACKUPDIR="/var/backup/reset-ldap-`date +%Y%m%dT%H:%M:%S`" |
|
9 |
mkdir -p "$BACKUPDIR" |
|
10 |
echo Old configuration saved in $BACKUPDIR |
|
11 |
cp -R /var/lib/ldap /etc/ldap/slapd.d/ "$BACKUPDIR" |
|
12 |
rm -rf /var/lib/ldap/* |
|
13 |
mkdir /var/lib/ldap/config-accesslog/ |
|
14 |
|
|
15 |
echo Load overlay modules, configure auditlog for cn=config |
|
16 |
slapadd -n0 -F/etc/ldap/slapd.d -l${LDIFDIR}/radius.ldif |
|
17 |
|
|
18 |
echo "Suffixe de la base à créer (exemple : dc=univ-psl,dc=fr) :" |
|
19 |
echo -n "-> " |
|
20 |
read SUFFIX |
|
21 |
echo |
|
22 |
|
|
23 |
if [ -d "/var/lib/ldap/$SUFFIX" ]; then |
|
24 |
echo "ERR: le répertoire '/var/lib/ldap/$SUFFIX' existe déjà" >&2 |
|
25 |
exit 1 |
|
26 |
fi |
|
27 |
|
|
28 |
if ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config olcSuffix=$SUFFIX 2>/dev/null | grep -q '^result: [1-9]'; then |
|
29 |
echo "ERR: le suffixe $SUFFIX existe déjà" >&2 |
|
30 |
exit 2 |
|
31 |
fi |
|
32 |
|
|
33 |
echo "Choisir un mot de passe administrateur (uid=admin,ou=people,$SUFFIX) :" |
|
34 |
echo -n "-> " |
|
35 |
stty -echo |
|
36 |
read PASSWORD |
|
37 |
stty echo |
|
38 |
echo |
|
39 |
echo "Une nouvelle fois :" |
|
40 |
echo -n "-> " |
|
41 |
stty -echo |
|
42 |
read PASSWORD2 |
|
43 |
stty echo |
|
44 |
echo |
|
45 |
if [ x"$PASSWORD" != x"$PASSWORD2" ]; then |
|
46 |
echo "ERR: mots de passe différents" >&2 |
|
47 |
exit 3 |
|
48 |
fi |
|
49 |
echo |
|
50 |
|
|
51 |
echo "Nom de l'organisation (ou=...) :" |
|
52 |
echo "uniquement des majuscules, sans accent" |
|
53 |
echo "Exemple: ENS" |
|
54 |
echo -n "-> " |
|
55 |
read ORGANIZATION |
|
56 |
echo |
|
57 |
|
|
58 |
|
|
59 |
echo "Récapitulatif :" |
|
60 |
echo " Suffixe : $SUFFIX" |
|
61 |
echo " Nom : $ORGANIZATION" |
|
62 |
echo "DN établissement : ou=$ORGANIZATION,$SUFFIX" |
|
63 |
echo |
|
64 |
echo "Créer cette base ? (taper oui)" |
|
65 |
echo -n "-> " |
|
66 |
read OK |
|
67 |
echo |
|
68 |
|
|
69 |
if [ "x$OK" != "xoui" ]; then |
|
70 |
exit 4 |
|
71 |
fi |
|
72 |
|
|
73 |
DC=`echo $SUFFIX | sed 's/dc=\([^,]*\).*/\1/'` |
|
74 |
|
|
75 |
DBDIR=/var/lib/ldap/$SUFFIX |
|
76 |
DBACCESSLOGDIR=/var/lib/ldap/$SUFFIX/accesslog/ |
|
77 |
|
|
78 |
mkdir -p "$DBDIR" "$DBACCESSLOGDIR" |
|
79 |
|
|
80 |
chown -R openldap:openldap /etc/ldap/slapd.d /var/lib/ldap |
|
81 |
|
|
82 |
LDIF=`tempfile --prefix=newdb --suffix=.ldif` |
|
83 |
cat << EOF > $LDIF |
|
84 |
# LDAPVI syntax |
|
85 |
add olcDatabase={1}mdb,cn=config |
|
86 |
objectClass: olcDatabaseConfig |
|
87 |
objectClass: olcMdbConfig |
|
88 |
olcDatabase: {1}mdb |
|
89 |
olcSuffix: $SUFFIX |
|
90 |
olcDbDirectory: /var/lib/ldap/$SUFFIX/ |
|
91 |
olcRootDN: uid=admin,ou=people,$SUFFIX |
|
92 |
olcRootPW: $PASSWORD |
|
93 |
olcLastMod: TRUE |
|
94 |
olcAddContentACL: FALSE |
|
95 |
olcMonitoring: TRUE |
|
96 |
olcSyncUseSubentry: FALSE |
|
97 |
olcMaxDerefDepth: 0 |
|
98 |
olcLimits: {0}dn.exact="uid=admin,ou=people,$SUFFIX" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited |
|
99 |
olcLimits: {1}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited |
|
100 |
olcReadOnly: FALSE |
|
101 |
# Index |
|
102 |
olcDbIndex: objectClass,member,owner eq |
|
103 |
olcDbIndex: mail,givenName,uid,cn,sn,displayName pres,eq,approx,sub |
|
104 |
# Accès super-utilisateur |
|
105 |
olcAccess: {0}to * |
|
106 |
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage |
|
107 |
by group.exact="cn=admin,ou=groups,$SUFFIX" manage |
|
108 |
by * break |
|
109 |
# Branche people |
|
110 |
olcAccess: {1}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword,labeledURI |
|
111 |
by self write |
|
112 |
by * break |
|
113 |
# Les accès aux autres attributs utilisateurs |
|
114 |
olcAccess: {2}to dn.one="ou=people,$SUFFIX" |
|
115 |
by users read |
|
116 |
by anonymous auth |
|
117 |
by * none |
|
118 |
# Branche groups |
|
119 |
# Le propriétaire du groupe |
|
120 |
olcAccess: {3}to dn.one="ou=groups,$SUFFIX" |
|
121 |
by set="this/owner & user" manage |
|
122 |
by * break |
|
123 |
# Les utilisateurs en général sur les attributs descriptifs |
|
124 |
olcAccess: {4}to dn.one="ou=groups,$SUFFIX" attrs=cn,description,owner |
|
125 |
by users read |
|
126 |
by * break |
|
127 |
|
|
128 |
# Create accesslog DIT |
|
129 |
add olcDatabase={1}mdb,cn=config |
|
130 |
objectClass: olcDatabaseConfig |
|
131 |
objectClass: olcMdbConfig |
|
132 |
olcSuffix: cn=accesslog,$SUFFIX |
|
133 |
olcDbDirectory: /var/lib/ldap/$SUFFIX/accesslog/ |
|
134 |
olcAccess: {0}to * |
|
135 |
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage |
|
136 |
by group=cn=admin,ou=groupes,$SUFFIX manage |
|
137 |
by * break |
|
138 |
|
|
139 |
add olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config |
|
140 |
objectClass: olcOverlayConfig |
|
141 |
objectClass: olcSyncProvConfig |
|
142 |
olcOverlay: {0}syncprov |
|
143 |
olcSpCheckpoint: 100 10 |
|
144 |
olcSpSessionlog: 100 |
|
145 |
|
|
146 |
# Log all writes to the db |
|
147 |
add olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config |
|
148 |
objectClass: olcAccesslogConfig |
|
149 |
objectClass: olcOverlayConfig |
|
150 |
objectClass: olcConfig |
|
151 |
objectClass: top |
|
152 |
olcOverlay: {1}accesslog |
|
153 |
olcAccessLogDB: cn=accesslog,$SUFFIX |
|
154 |
olcAccessLogOps: writes |
|
155 |
# log are conserved one year and purged every day |
|
156 |
olcAccessLogPurge: 365+00:00 1+00:00 |
|
157 |
# Keep a copy of everything |
|
158 |
olcAccessLogOld: objectClass=* |
|
159 |
|
|
160 |
add olcOverlay={2}refint,olcDatabase={2}mdb,cn=config |
|
161 |
objectClass: olcOverlayConfig |
|
162 |
objectClass: olcRefintConfig |
|
163 |
olcOverlay: {2}refint |
|
164 |
olcRefintAttribute: member |
|
165 |
olcRefintNothing: $SUFFIX |
|
166 |
|
|
167 |
add olcOverlay={3}constraint,olcDatabase={2}mdb,cn=config |
|
168 |
objectClass: olcOverlayConfig |
|
169 |
objectClass: olcConstraintConfig |
|
170 |
olcOverlay: {3}constraint |
|
171 |
# un seul cn pour les utilisateurs |
|
172 |
olcConstraintAttribute: cn count 1 restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" |
|
173 |
#olcConstraintAttribute: cn regex "^[-A-Z' ]*$" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)" |
|
174 |
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///ou=groups,$SUFFIX??sub?(objectClass=*)" |
|
175 |
olcConstraintAttribute: cn regex "^[-A-Za-z0-9 ]*$" restrict="ldap:///$SUFFIX??base?(objectClass=*)" |
|
176 |
olcConstraintAttribute: dc regex "^[a-z0-9-]*$" |
|
177 |
olcConstraintAttribute: mail count 1 |
|
178 |
olcConstraintAttribute: mail |
|
179 |
regex "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$" |
|
180 |
# olcConstraintAttribute: mailForwardingAddress |
|
181 |
regex "^([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}|[a-zA-Z0-9]+)$" # mail ou uid |
|
182 |
|
|
183 |
add $SUFFIX |
|
184 |
objectClass: organization |
|
185 |
objectClass: dcObject |
|
186 |
dc: $DC |
|
187 |
o: $ORGANIZATION |
|
188 |
|
|
189 |
add ou=people,$SUFFIX |
|
190 |
objectClass: organizationalUnit |
|
191 |
ou: people |
|
192 |
|
|
193 |
add uid=admin,ou=people,$SUFFIX |
|
194 |
objectClass: inetOrgPerson |
|
195 |
uid: admin |
|
196 |
cn: Administrateur annuaire |
|
197 |
displayName: Administrateur annuaire |
|
198 |
givenName: Administrateur |
|
199 |
sn: annuaire |
|
200 |
userPassword: $PASSWORD |
|
201 |
|
|
202 |
add ou=$ORGANIZATION,$SUFFIX |
|
203 |
objectClass: organizationalUnit |
|
204 |
ou: $ORGANIZATION |
|
205 |
|
|
206 |
EOF |
|
207 |
|
|
208 |
|
|
209 |
echo "Chargement de la définition de la nouvelle base annuaire ($LDIF) :" |
|
210 |
ldapvi --verbose --profile config --ldapmodify --ldapvi --add $LDIF |
|
211 |
# slapadd -n0 -F/etc/ldap/slapd.d -l${LDIF} |
|
212 |
echo "OK" |
|
213 |
|
|
214 |
chown -R openldap.openldap /etc/ldap/slapd.d /var/lib/ldap |
|
215 |
|
|
216 |
LDAP_SETUP=`tempfile --prefix=ldap --suffix=.conf` |
|
217 |
cat << EOF > $LDAP_SETUP |
|
218 |
ldap { |
|
219 |
# |
|
220 |
# Note that this needs to match the name in the LDAP |
|
221 |
# server certificate, if you're using ldaps. |
|
222 |
server = "localhost" |
|
223 |
identity = "uid=admin,ou=people,$SUFFIX" |
|
224 |
password = "$PASSWORD" |
|
225 |
basedn = "$ORGANIZATION,$SUFFIX" |
|
226 |
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" |
|
227 |
#base_filter = "(objectclass=radiusprofile)" |
|
228 |
|
|
229 |
ldap_connections_number = 5 |
|
230 |
|
|
231 |
# How many times the connection can be used before |
|
232 |
# being re-established. This is useful for things |
|
233 |
# like load balancers, which may exhibit sticky |
|
234 |
# behaviour without it. (0) is unlimited. |
|
235 |
max_uses = 0 |
|
236 |
|
|
237 |
# Port to connect on, defaults to 389. Setting this to |
|
238 |
# 636 will enable LDAPS if start_tls (see below) is not |
|
239 |
# able to be used. |
|
240 |
#port = 389 |
|
241 |
|
|
242 |
# seconds to wait for LDAP query to finish. default: 20 |
|
243 |
timeout = 4 |
|
244 |
|
|
245 |
# seconds LDAP server has to process the query (server-side |
|
246 |
# time limit). default: 20 |
|
247 |
# |
|
248 |
# LDAP_OPT_TIMELIMIT is set to this value. |
|
249 |
timelimit = 3 |
|
250 |
|
|
251 |
# |
|
252 |
# seconds to wait for response of the server. (network |
|
253 |
# failures) default: 10 |
|
254 |
# |
|
255 |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value. |
|
256 |
net_timeout = 1 |
|
257 |
|
|
258 |
# Mapping of RADIUS dictionary attributes to LDAP |
|
259 |
# directory attributes. |
|
260 |
dictionary_mapping = ${confdir}/ldap.attrmap |
|
261 |
|
|
262 |
# Un-comment the following to disable Novell |
|
263 |
# eDirectory account policy check and intruder |
|
264 |
# detection. This will work *only if* FreeRADIUS is |
|
265 |
# configured to build with --with-edir option. |
|
266 |
# |
|
267 |
edir_account_policy_check = no |
|
268 |
|
|
269 |
# By default, if the packet contains a User-Password, |
|
270 |
# and no other module is configured to handle the |
|
271 |
# authentication, the LDAP module sets itself to do |
|
272 |
# LDAP bind for authentication. |
|
273 |
# |
|
274 |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION. |
|
275 |
# |
|
276 |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). |
|
277 |
# |
|
278 |
# You can disable this behavior by setting the following |
|
279 |
# configuration entry to "no". |
|
280 |
# |
|
281 |
# allowed values: {no, yes} |
|
282 |
# set_auth_type = yes |
|
283 |
|
|
284 |
|
|
285 |
# Keepalive configuration. This MAY NOT be supported by your |
|
286 |
# LDAP library. If these configuration entries appear in the |
|
287 |
# output of "radiusd -X", then they are supported. Otherwise, |
|
288 |
# they are unsupported, and changing them will do nothing. |
|
289 |
# |
|
290 |
keepalive { |
|
291 |
# LDAP_OPT_X_KEEPALIVE_IDLE |
|
292 |
idle = 60 |
|
293 |
|
|
294 |
# LDAP_OPT_X_KEEPALIVE_PROBES |
|
295 |
probes = 3 |
|
296 |
|
|
297 |
# LDAP_OPT_X_KEEPALIVE_INTERVAL |
|
298 |
interval = 3 |
|
299 |
} |
|
300 |
} |
|
301 |
EOF |
|
302 |
|
|
303 |
|
|
304 |
service freeradius stop |
|
305 |
|
|
306 |
cp /etc/freeradius/modules/ldap /etc/freeradius/modules/ldap.backup |
|
307 |
mv $LDAP_SETUP /etc/freeradius/modules/ldap |
|
308 |
|
|
309 |
service freeradius start |
lib/setup-slapd.help | ||
---|---|---|
1 |
création d'une nouvelle base, avec un nouveau suffixe |
|
2 |
|
|
3 |
Paramètrage de freeradius pour la connexion à cette base |
lib/u-auth | ||
---|---|---|
1 |
#!/bin/sh |
|
2 |
|
|
3 |
ME=`basename $0` |
|
4 |
COMMANDDIR=`dirname $0`/lib |
|
5 |
test -d ${COMMANDDIR} || COMMANDDIR=/usr/lib/`basename $0` |
|
6 |
|
|
7 |
help() { |
|
8 |
msg="$1" |
|
9 |
test -n "$msg" && echo $msg |
|
10 |
echo "syntaxe: $ME commande ..." |
|
11 |
echo "" |
|
12 |
echo "commandes disponibles:" |
|
13 |
echo " help cette aide" |
|
14 |
for fcom in $COMMANDDIR/*.help |
|
15 |
do |
|
16 |
com=`basename $fcom .help` |
|
17 |
descr=`head -1 $fcom` |
|
18 |
echo " "$com" "$descr |
|
19 |
done |
|
20 |
test -n "$msg" && exit 1 |
|
21 |
exit 0 |
|
22 |
} |
|
23 |
|
|
24 |
helpcmd() { |
|
25 |
command=$1 |
|
26 |
xcommand=$COMMANDDIR/$command |
|
27 |
test -x $xcommand || help "ERR: commande inconnue ($command)" |
|
28 |
echo "$ME $command" |
|
29 |
cat $xcommand.help |
|
30 |
} |
|
31 |
|
|
32 |
command=$1 |
|
33 |
test -z $command && help "ERR: commande manquante" |
|
34 |
shift |
|
35 |
|
|
36 |
case $command in |
|
37 |
help) |
|
38 |
test -z "$1" && help |
|
39 |
helpcmd $1 |
|
40 |
;; |
|
41 |
*) |
|
42 |
xcommand=$COMMANDDIR/$command |
|
43 |
test -x $xcommand || help "ERR: commande inconnue ($command)" |
|
44 |
$xcommand "$@" |
|
45 |
;; |
|
46 |
esac |
schema/radius.ldif | ||
---|---|---|
1 |
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. |
|
2 |
# CRC32 283edc8d |
|
3 |
# Put this file to /etc/ldap/schema/ and then execute the following |
|
4 |
# comand to add this schema: |
|
5 |
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/radius.ldif |
|
6 |
dn: cn=radius,cn=schema,cn=config |
|
7 |
objectClass: olcSchemaConfig |
|
8 |
cn: radius |
|
9 |
olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' D |
|
10 |
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN |
|
11 |
GLE-VALUE ) |
|
12 |
olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' D |
|
13 |
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN |
|
14 |
GLE-VALUE ) |
|
15 |
olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' |
|
16 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
17 |
INGLE-VALUE ) |
|
18 |
olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC |
|
19 |
'checkItem: Auth-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 |
|
20 |
.115.121.1.26 SINGLE-VALUE ) |
|
21 |
olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DES |
|
22 |
C 'replyItem: Callback-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 |
|
23 |
466.115.121.1.26 SINGLE-VALUE ) |
|
24 |
olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' |
|
25 |
DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 |
|
26 |
.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
27 |
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId |
|
28 |
' DESC 'checkItem: Called-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
|
29 |
3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
30 |
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI |
|
31 |
d' DESC 'checkItem: Calling-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX |
|
32 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
33 |
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC 're |
|
34 |
plyItem: Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 |
|
35 |
.1.26 ) |
|
36 |
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres |
|
37 |
s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
38 |
SINGLE-VALUE ) |
|
39 |
olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC |
|
40 |
'replyItem: Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 |
|
41 |
.115.121.1.26 ) |
|
42 |
olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTa |
|
43 |
lkLink' DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreIA5Match |
|
44 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
45 |
olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTa |
|
46 |
lkNetwork' DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreIA |
|
47 |
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
48 |
olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTa |
|
49 |
lkZone' DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreIA5Match |
|
50 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
51 |
olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompres |
|
52 |
sion' DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreIA5Match SYNT |
|
53 |
AX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
54 |
olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddre |
|
55 |
ss' DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreIA5Match SYNTAX |
|
56 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
57 |
olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetma |
|
58 |
sk' DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreIA5Match SYNTAX |
|
59 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
60 |
olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetw |
|
61 |
ork' DESC 'replyItem: Framed-IPX-Network' EQUALITY caseIgnoreIA5Match SYNTA |
|
62 |
X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
63 |
olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE |
|
64 |
SC 'replyItem: Framed-MTU' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 |
|
65 |
466.115.121.1.26 SINGLE-VALUE ) |
|
66 |
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco |
|
67 |
l' DESC 'replyItem: Framed-Protocol' EQUALITY caseIgnoreIA5Match SYNTAX 1.3 |
|
68 |
.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
69 |
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' |
|
70 |
DESC 'replyItem: Framed-Route' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
|
71 |
.1.1466.115.121.1.26 ) |
|
72 |
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting |
|
73 |
' DESC 'replyItem: Framed-Routing' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 |
|
74 |
.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
75 |
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE |
|
76 |
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
77 |
olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' |
|
78 |
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA |
|
79 |
LUE ) |
|
80 |
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName |
|
81 |
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
82 |
) |
|
83 |
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' |
|
84 |
DESC 'replyItem: Idle-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
|
85 |
.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
86 |
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' |
|
87 |
DESC 'replyItem: Login-IP-Host' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1. |
|
88 |
4.1.1466.115.121.1.26 ) |
|
89 |
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup |
|
90 |
' DESC 'replyItem: Login-LAT-Group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3. |
|
91 |
6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
92 |
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' |
|
93 |
DESC 'replyItem: Login-LAT-Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. |
|
94 |
1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
95 |
olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' |
|
96 |
DESC 'replyItem: Login-LAT-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. |
|
97 |
1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
98 |
olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATServi |
|
99 |
ce' DESC 'replyItem: Login-LAT-Service' EQUALITY caseIgnoreIA5Match SYNTAX |
|
100 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
101 |
olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' |
|
102 |
DESC 'replyItem: Login-Service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1 |
|
103 |
.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
104 |
olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' |
|
105 |
DESC 'replyItem: Login-TCP-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. |
|
106 |
1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
107 |
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry |
|
108 |
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
109 |
SINGLE-VALUE ) |
|
110 |
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE |
|
111 |
SC 'replyItem: Port-Limit' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 |
|
112 |
466.115.121.1.26 SINGLE-VALUE ) |
|
113 |
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE |
|
114 |
SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 |
|
115 |
SINGLE-VALUE ) |
|
116 |
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC |
|
117 |
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- |
|
118 |
VALUE ) |
|
119 |
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' |
|
120 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
121 |
INGLE-VALUE ) |
|
122 |
olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe |
|
123 |
alm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|
124 |
26 SINGLE-VALUE ) |
|
125 |
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC ' |
|
126 |
' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V |
|
127 |
ALUE ) |
|
128 |
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' |
|
129 |
DESC 'replyItem: Service-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
|
130 |
.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
131 |
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou |
|
132 |
t' DESC 'replyItem: Session-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3 |
|
133 |
.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
134 |
olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAc |
|
135 |
tion' DESC 'replyItem: Termination-Action' EQUALITY caseIgnoreIA5Match SYNT |
|
136 |
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
137 |
olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignm |
|
138 |
entId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. |
|
139 |
1.26 ) |
|
140 |
olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumT |
|
141 |
ype' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|
142 |
26 ) |
|
143 |
olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPasswor |
|
144 |
d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
145 |
SINGLE-VALUE ) |
|
146 |
olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPrefere |
|
147 |
nce' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|
148 |
26 ) |
|
149 |
olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivate |
|
150 |
GroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 |
|
151 |
1.1.26 ) |
|
152 |
olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE |
|
153 |
ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 |
|
154 |
1.1.26 ) |
|
155 |
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D |
|
156 |
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
157 |
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' |
|
158 |
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
159 |
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE |
|
160 |
ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 |
|
161 |
1.1.26 ) |
|
162 |
olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousU |
|
163 |
se' DESC 'checkItem: Simultaneous-Use' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
|
164 |
SINGLE-VALUE ) |
|
165 |
olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DE |
|
166 |
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING |
|
167 |
LE-VALUE ) |
|
168 |
olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' |
|
169 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
170 |
INGLE-VALUE ) |
|
171 |
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName |
|
172 |
' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|
173 |
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC |
|
174 |
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- |
|
175 |
VALUE ) |
|
176 |
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D |
|
177 |
ESC 'checkItem: Expiration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1. |
|
178 |
1466.115.121.1.26 SINGLE-VALUE ) |
|
179 |
olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE |
|
180 |
SC 'checkItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 |
|
181 |
66.115.121.1.26 ) |
|
182 |
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE |
|
183 |
SC 'replyItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 |
|
184 |
66.115.121.1.26 ) |
|
185 |
olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress' |
|
186 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
187 |
INGLE-VALUE ) |
|
188 |
olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage' |
|
189 |
DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1 |
|
190 |
.4.1.1466.115.121.1.26 ) |
|
191 |
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' |
|
192 |
SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ |
|
193 |
radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu |
|
194 |
mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu |
|
195 |
sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame |
|
196 |
dAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ r |
|
197 |
adiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ rad |
|
198 |
iusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ r |
|
199 |
adiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupNam |
|
200 |
e $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGr |
|
201 |
oup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ rad |
|
202 |
iusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetr |
|
203 |
y $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ rad |
|
204 |
iusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStri |
|
205 |
pUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusPr |
|
206 |
ofileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMe |
|
207 |
diumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPriv |
|
208 |
ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate |
|
209 |
gory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ r |
|
210 |
adiusReplyMessage ) ) |
|
211 |
olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' D |
|
212 |
ESC 'A Container Objectclass to be used for creating radius profile object' |
|
213 |
SUP top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) ) |
|
214 |
|
share/config.ldif | ||
---|---|---|
1 |
dn: cn=config |
|
2 |
objectClass: olcGlobal |
|
3 |
cn: config |
|
4 |
olcArgsFile: /var/run/slapd/slapd.args |
|
5 |
olcPidFile: /var/run/slapd/slapd.pid |
|
6 |
olcToolThreads: 1 |
|
7 |
olcLogLevel: none |
|
8 |
olcServerId: 1 |
|
9 |
|
|
10 |
dn: cn=module{0},cn=config |
|
11 |
objectClass: olcModuleList |
|
12 |
cn: module{0} |
|
13 |
olcModulePath: /usr/lib/ldap |
|
14 |
olcModuleLoad: {0}back_hdb |
|
15 |
olcModuleLoad: {1}back_monitor |
|
16 |
olcModuleLoad: {2}back_mdb |
|
17 |
olcModuleLoad: {3}accesslog |
|
18 |
olcModuleLoad: {4}unique |
|
19 |
olcModuleLoad: {5}refint |
|
20 |
olcModuleLoad: {6}constraint |
|
21 |
olcModuleLoad: {7}syncprov |
|
22 |
|
|
23 |
dn: cn=schema,cn=config |
|
24 |
objectClass: olcSchemaConfig |
|
25 |
cn: schema |
|
26 |
|
|
27 |
dn: olcDatabase={-1}frontend,cn=config |
|
28 |
objectClass: olcDatabaseConfig |
|
29 |
objectClass: olcFrontendConfig |
|
30 |
olcDatabase: {-1}frontend |
|
31 |
olcAccess: {0}to * |
|
32 |
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage |
|
33 |
by * break |
|
34 |
olcAccess: {1}to dn.exact="" by * read |
|
35 |
olcAccess: {2}to dn.base="cn=Subschema" by * read |
|
36 |
olcSizeLimit: 500 |
|
37 |
|
|
38 |
dn: olcDatabase={0}config,cn=config |
|
39 |
objectClass: olcDatabaseConfig |
|
40 |
olcDatabase: {0}config |
|
41 |
olcAccess: {0}to * |
|
42 |
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage |
|
43 |
by * break |
|
44 |
olcRootDN: cn=admin,cn=config |
|
45 |
|
|
46 |
dn: olcDatabase={1}mdb,cn=config |
|
47 |
objectClass: olcDatabaseConfig |
|
48 |
objectClass: olcMdbConfig |
|
49 |
olcSuffix: cn=config-accesslog |
|
50 |
olcDbDirectory: /var/lib/ldap/config-accesslog/ |
|
51 |
# Allow reading accesslog only by root |
|
52 |
olcAccess: {0}to * |
|
53 |
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read |
|
54 |
by * break |
|
55 |
|
|
56 |
dn: olcDatabase={1}monitor,cn=config |
|
57 |
objectClass: olcDatabaseConfig |
|
58 |
objectClass: olcMonitorConfig |
|
59 |
olcDatabase: {1}monitor |
|
60 |
# Allow reading monitoring only by root |
|
61 |
olcAccess: {0}to * |
|
62 |
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read |
|
63 |
by * break |
|
64 |
|
|
65 |
# Log all writes to the configuration |
|
66 |
dn: olcOverlay={0}accesslog,olcDatabase={0}config,cn=config |
|
67 |
objectClass: olcAccesslogConfig |
|
68 |
objectClass: olcOverlayConfig |
|
69 |
objectClass: olcConfig |
|
70 |
objectClass: top |
|
71 |
olcOverlay: {0}accesslog |
|
72 |
olcAccessLogDB: cn=config-accesslog |
|
73 |
olcAccessLogOps: writes |
|
74 |
# log are conserved one year and purged every day |
|
75 |
olcAccessLogPurge: 365+00:00 1+00:00 |
|
76 |
olcAccessLogOld: objectClass=olcConfig |
share/radius-default.conf | ||
---|---|---|
1 |
# Authorization. First preprocess (hints and huntgroups files), |
|
2 |
# then realms, and finally look in the "users" file. |
|
3 |
# |
|
4 |
# Any changes made here should also be made to the "inner-tunnel" |
|
5 |
# virtual server. |
|
6 |
# |
|
7 |
# The order of the realm modules will determine the order that |
|
8 |
# we try to find a matching realm. |
|
9 |
# |
|
10 |
# Make *sure* that 'preprocess' comes before any realm if you |
|
11 |
# need to setup hints for the remote radius server |
|
12 |
authorize { |
|
13 |
|
|
14 |
# |
|
15 |
# Security settings. Take a User-Name, and do some simple |
|
16 |
# checks on it, for spaces and other invalid characters. If |
|
17 |
# it looks like the user is trying to play games, reject it. |
|
18 |
# |
|
19 |
# This should probably be enabled by default. |
|
20 |
# |
|
21 |
# See policy.conf for the definition of the filter_username policy. |
|
22 |
# |
|
23 |
# filter_username |
|
24 |
|
|
25 |
# |
|
26 |
# The preprocess module takes care of sanitizing some bizarre |
|
27 |
# attributes in the request, and turning them into attributes |
|
28 |
# which are more standard. |
|
29 |
# |
|
30 |
# It takes care of processing the 'raddb/hints' and the |
|
31 |
# 'raddb/huntgroups' files. |
|
32 |
preprocess |
|
33 |
|
|
34 |
# |
|
35 |
# If you want to have a log of authentication requests, |
|
36 |
# un-comment the following line, and the 'detail auth_log' |
|
37 |
# section, above. |
|
38 |
auth_log |
|
39 |
|
|
40 |
ldap |
|
41 |
|
|
42 |
# |
|
43 |
# The chap module will set 'Auth-Type := CHAP' if we are |
|
44 |
# handling a CHAP request and Auth-Type has not already been set |
|
45 |
chap |
|
46 |
|
|
47 |
# |
|
48 |
# If the users are logging in with an MS-CHAP-Challenge |
|
49 |
# attribute for authentication, the mschap module will find |
|
50 |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
|
51 |
# to the request, which will cause the server to then use |
|
52 |
# the mschap module for authentication. |
|
53 |
mschap |
|
54 |
|
|
55 |
# |
|
56 |
# If you have a Cisco SIP server authenticating against |
|
57 |
# FreeRADIUS, uncomment the following line, and the 'digest' |
|
58 |
# line in the 'authenticate' section. |
|
59 |
digest |
|
60 |
|
|
61 |
# |
|
62 |
# The WiMAX specification says that the Calling-Station-Id |
|
63 |
# is 6 octets of the MAC. This definition conflicts with |
|
64 |
# RFC 3580, and all common RADIUS practices. Un-commenting |
|
65 |
# the "wimax" module here means that it will fix the |
|
66 |
# Calling-Station-Id attribute to the normal format as |
|
67 |
# specified in RFC 3580 Section 3.21 |
|
68 |
# wimax |
|
69 |
|
|
70 |
# |
|
71 |
# Look for IPASS style 'realm/', and if not found, look for |
|
72 |
# '@realm', and decide whether or not to proxy, based on |
|
73 |
# that. |
|
74 |
# IPASS |
|
75 |
|
|
76 |
# |
|
77 |
# If you are using multiple kinds of realms, you probably |
|
78 |
# want to set "ignore_null = yes" for all of them. |
|
79 |
# Otherwise, when the first style of realm doesn't match, |
|
80 |
# the other styles won't be checked. |
|
81 |
# |
|
82 |
suffix |
|
83 |
# ntdomain |
|
84 |
|
|
85 |
# |
|
86 |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP |
|
87 |
# authentication. |
|
88 |
# |
|
89 |
# It also sets the EAP-Type attribute in the request |
|
90 |
# attribute list to the EAP type from the packet. |
|
91 |
# |
|
92 |
# As of 2.0, the EAP module returns "ok" in the authorize stage |
|
93 |
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so |
|
94 |
# this change is compatible with older configurations. |
|
95 |
# |
|
96 |
# The example below uses module failover to avoid querying all |
|
97 |
# of the following modules if the EAP module returns "ok". |
|
98 |
# Therefore, your LDAP and/or SQL servers will not be queried |
|
99 |
# for the many packets that go back and forth to set up TTLS |
|
100 |
# or PEAP. The load on those servers will therefore be reduced. |
|
101 |
# |
|
102 |
eap { |
|
103 |
ok = return |
|
104 |
} |
|
105 |
|
|
106 |
# |
|
107 |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
|
108 |
# using the system API's to get the password. If you want |
|
109 |
# to read /etc/passwd or /etc/shadow directly, see the |
|
110 |
# passwd module in radiusd.conf. |
|
111 |
# |
|
112 |
# unix |
|
113 |
|
|
114 |
# |
|
115 |
# Read the 'users' file |
|
116 |
# files |
|
117 |
|
|
118 |
# |
|
119 |
# Look in an SQL database. The schema of the database |
|
120 |
# is meant to mirror the "users" file. |
|
121 |
# |
|
122 |
# See "Authorization Queries" in sql.conf |
|
123 |
# sql |
|
124 |
|
|
125 |
# |
|
126 |
# If you are using /etc/smbpasswd, and are also doing |
|
127 |
# mschap authentication, the un-comment this line, and |
|
128 |
# configure the 'smbpasswd' module. |
|
129 |
# smbpasswd |
|
130 |
|
|
131 |
exec |
|
132 |
# |
|
133 |
# The ldap module will set Auth-Type to LDAP if it has not |
|
134 |
# already been set |
|
135 |
|
|
136 |
# |
|
137 |
# Enforce daily limits on time spent logged in. |
|
138 |
# daily |
|
139 |
|
|
140 |
# |
|
141 |
# Use the checkval module |
|
142 |
# checkval |
|
143 |
|
|
144 |
expiration |
|
145 |
logintime |
|
146 |
|
|
147 |
# |
|
148 |
# If no other module has claimed responsibility for |
|
149 |
# authentication, then try to use PAP. This allows the |
|
150 |
# other modules listed above to add a "known good" password |
|
151 |
# to the request, and to do nothing else. The PAP module |
|
152 |
# will then see that password, and use it to do PAP |
|
153 |
# authentication. |
|
154 |
# |
|
155 |
# This module should be listed last, so that the other modules |
|
156 |
# get a chance to set Auth-Type for themselves. |
|
157 |
# |
|
158 |
pap |
|
159 |
|
|
160 |
# |
|
161 |
# If "status_server = yes", then Status-Server messages are passed |
|
162 |
# through the following section, and ONLY the following section. |
|
163 |
# This permits you to do DB queries, for example. If the modules |
|
164 |
# listed here return "fail", then NO response is sent. |
|
165 |
# |
|
166 |
# Autz-Type Status-Server { |
|
167 |
# |
|
168 |
# } |
|
169 |
} |
|
170 |
|
|
171 |
|
|
172 |
# Authentication. |
|
173 |
# |
|
174 |
# |
|
175 |
# This section lists which modules are available for authentication. |
|
176 |
# Note that it does NOT mean 'try each module in order'. It means |
|
177 |
# that a module from the 'authorize' section adds a configuration |
|
178 |
# attribute 'Auth-Type := FOO'. That authentication type is then |
|
179 |
# used to pick the apropriate module from the list below. |
|
180 |
# |
|
181 |
|
|
182 |
# In general, you SHOULD NOT set the Auth-Type attribute. The server |
|
183 |
# will figure it out on its own, and will do the right thing. The |
|
184 |
# most common side effect of erroneously setting the Auth-Type |
|
185 |
# attribute is that one authentication method will work, but the |
|
186 |
# others will not. |
|
187 |
# |
|
188 |
# The common reasons to set the Auth-Type attribute by hand |
|
189 |
# is to either forcibly reject the user (Auth-Type := Reject), |
|
190 |
# or to or forcibly accept the user (Auth-Type := Accept). |
|
191 |
# |
|
192 |
# Note that Auth-Type := Accept will NOT work with EAP. |
|
193 |
# |
|
194 |
# Please do not put "unlang" configurations into the "authenticate" |
|
195 |
# section. Put them in the "post-auth" section instead. That's what |
|
196 |
# the post-auth section is for. |
|
197 |
# |
|
198 |
authenticate { |
|
199 |
# |
|
200 |
# PAP authentication, when a back-end database listed |
|
201 |
# in the 'authorize' section supplies a password. The |
|
202 |
# password can be clear-text, or encrypted. |
|
203 |
Auth-Type PAP { |
|
204 |
pap |
|
205 |
} |
|
206 |
|
|
207 |
# |
|
208 |
# Most people want CHAP authentication |
|
209 |
# A back-end database listed in the 'authorize' section |
|
210 |
# MUST supply a CLEAR TEXT password. Encrypted passwords |
|
211 |
# won't work. |
|
212 |
Auth-Type CHAP { |
|
213 |
chap |
|
214 |
} |
|
215 |
|
|
216 |
# |
|
217 |
# MSCHAP authentication. |
|
218 |
Auth-Type MS-CHAP { |
|
219 |
mschap |
|
220 |
} |
|
221 |
|
|
222 |
# |
|
223 |
# If you have a Cisco SIP server authenticating against |
|
224 |
# FreeRADIUS, uncomment the following line, and the 'digest' |
|
225 |
# line in the 'authorize' section. |
|
226 |
digest |
|
227 |
|
|
228 |
# |
|
229 |
# Pluggable Authentication Modules. |
|
230 |
# pam |
|
231 |
|
|
232 |
# |
|
233 |
# See 'man getpwent' for information on how the 'unix' |
|
234 |
# module checks the users password. Note that packets |
|
235 |
# containing CHAP-Password attributes CANNOT be authenticated |
|
236 |
# against /etc/passwd! See the FAQ for details. |
|
237 |
# |
|
238 |
# For normal "crypt" authentication, the "pap" module should |
|
239 |
# be used instead of the "unix" module. The "unix" module should |
|
240 |
# be used for authentication ONLY for compatibility with legacy |
|
241 |
# FreeRADIUS configurations. |
|
242 |
# |
|
243 |
unix |
|
244 |
|
|
245 |
# Uncomment it if you want to use ldap for authentication |
|
246 |
# |
|
247 |
# Note that this means "check plain-text password against |
|
248 |
# the ldap database", which means that EAP won't work, |
|
249 |
# as it does not supply a plain-text password. |
|
250 |
Auth-Type LDAP { |
|
251 |
ldap |
|
252 |
} |
|
253 |
|
|
254 |
# |
|
255 |
# Allow EAP authentication. |
|
256 |
eap |
|
257 |
|
|
258 |
# |
|
259 |
# The older configurations sent a number of attributes in |
|
260 |
# Access-Challenge packets, which wasn't strictly correct. |
|
261 |
# If you want to filter out these attributes, uncomment |
|
262 |
# the following lines. |
|
263 |
# |
|
264 |
# Auth-Type eap { |
|
265 |
# eap { |
|
266 |
# handled = 1 |
|
267 |
# } |
|
268 |
# if (handled && (Response-Packet-Type == Access-Challenge)) { |
|
269 |
# attr_filter.access_challenge.post-auth |
|
270 |
# handled # override the "updated" code from attr_filter |
|
271 |
# } |
|
272 |
# } |
|
273 |
} |
|
274 |
|
|
275 |
|
|
276 |
# |
|
277 |
# Pre-accounting. Decide which accounting type to use. |
|
278 |
# |
|
279 |
preacct { |
|
280 |
preprocess |
|
281 |
|
|
282 |
# |
|
283 |
# Session start times are *implied* in RADIUS. |
|
284 |
# The NAS never sends a "start time". Instead, it sends |
|
285 |
# a start packet, *possibly* with an Acct-Delay-Time. |
|
286 |
# The server is supposed to conclude that the start time |
|
287 |
# was "Acct-Delay-Time" seconds in the past. |
|
288 |
# |
|
289 |
# The code below creates an explicit start time, which can |
|
290 |
# then be used in other modules. |
|
291 |
# |
|
292 |
# The start time is: NOW - delay - session_length |
|
293 |
# |
|
294 |
|
|
295 |
# update request { |
|
296 |
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" |
|
297 |
# } |
|
298 |
|
|
299 |
|
|
300 |
# |
|
301 |
# Ensure that we have a semi-unique identifier for every |
|
302 |
# request, and many NAS boxes are broken. |
|
303 |
acct_unique |
|
304 |
|
|
305 |
# |
|
306 |
# Look for IPASS-style 'realm/', and if not found, look for |
|
307 |
# '@realm', and decide whether or not to proxy, based on |
|
308 |
# that. |
|
309 |
# |
|
310 |
# Accounting requests are generally proxied to the same |
|
311 |
# home server as authentication requests. |
|
312 |
# IPASS |
|
313 |
suffix |
|
314 |
# ntdomain |
|
315 |
|
|
316 |
# |
|
317 |
# Read the 'acct_users' file |
|
318 |
files |
|
319 |
} |
|
320 |
|
|
321 |
# |
|
322 |
# Accounting. Log the accounting data. |
|
323 |
# |
|
324 |
accounting { |
|
325 |
# |
|
326 |
# Create a 'detail'ed log of the packets. |
|
327 |
# Note that accounting requests which are proxied |
|
328 |
# are also logged in the detail file. |
|
329 |
detail |
|
330 |
# daily |
|
331 |
|
|
332 |
# Update the wtmp file |
|
333 |
# |
|
334 |
# If you don't use "radlast", you can delete this line. |
|
335 |
# unix |
|
336 |
|
|
337 |
# |
|
338 |
# For Simultaneous-Use tracking. |
|
339 |
# |
|
340 |
# Due to packet losses in the network, the data here |
|
341 |
# may be incorrect. There is little we can do about it. |
|
342 |
# radutmp |
|
343 |
# sradutmp |
|
344 |
|
|
345 |
# Return an address to the IP Pool when we see a stop record. |
|
346 |
# main_pool |
|
347 |
|
|
348 |
# |
|
349 |
# Log traffic to an SQL database. |
|
350 |
# |
|
351 |
# See "Accounting queries" in sql.conf |
|
352 |
# sql |
|
353 |
|
|
354 |
# |
|
355 |
# If you receive stop packets with zero session length, |
|
356 |
# they will NOT be logged in the database. The SQL module |
|
357 |
# will print a message (only in debugging mode), and will |
|
358 |
# return "noop". |
|
359 |
# |
|
360 |
# You can ignore these packets by uncommenting the following |
|
361 |
# three lines. Otherwise, the server will not respond to the |
|
362 |
# accounting request, and the NAS will retransmit. |
|
363 |
# |
|
364 |
# if (noop) { |
|
365 |
# ok |
|
366 |
# } |
|
367 |
|
|
368 |
# |
|
369 |
# Instead of sending the query to the SQL server, |
|
370 |
# write it into a log file. |
|
371 |
# |
|
372 |
# sql_log |
|
373 |
|
|
374 |
# Cisco VoIP specific bulk accounting |
|
375 |
# pgsql-voip |
|
376 |
|
|
377 |
# For Exec-Program and Exec-Program-Wait |
|
378 |
exec |
|
379 |
|
|
380 |
# Filter attributes from the accounting response. |
|
381 |
attr_filter.accounting_response |
|
382 |
|
|
383 |
# |
|
384 |
# See "Autz-Type Status-Server" for how this works. |
|
385 |
# |
|
386 |
# Acct-Type Status-Server { |
|
387 |
# |
|
388 |
# } |
|
389 |
} |
|
390 |
|
|
391 |
|
|
392 |
# Session database, used for checking Simultaneous-Use. Either the radutmp |
|
393 |
# or rlm_sql module can handle this. |
|
394 |
# The rlm_sql module is *much* faster |
|
395 |
session { |
|
396 |
radutmp |
|
397 |
|
|
398 |
# |
|
399 |
# See "Simultaneous Use Checking Queries" in sql.conf |
|
400 |
# sql |
|
401 |
} |
|
402 |
|
|
403 |
|
|
404 |
# Post-Authentication |
|
405 |
# Once we KNOW that the user has been authenticated, there are |
|
406 |
# additional steps we can take. |
|
407 |
post-auth { |
|
408 |
# Get an address from the IP Pool. |
|
409 |
# main_pool |
|
410 |
|
|
411 |
# |
|
412 |
# If you want to have a log of authentication replies, |
|
413 |
# un-comment the following line, and the 'detail reply_log' |
|
414 |
# section, above. |
|
415 |
# reply_log |
|
416 |
|
|
417 |
# |
|
418 |
# After authenticating the user, do another SQL query. |
|
419 |
# |
|
420 |
# See "Authentication Logging Queries" in sql.conf |
|
421 |
# sql |
|
422 |
|
|
423 |
# |
|
424 |
# Instead of sending the query to the SQL server, |
|
425 |
# write it into a log file. |
|
426 |
# |
|
427 |
# sql_log |
|
428 |
|
|
429 |
# |
|
430 |
# Un-comment the following if you have set |
|
431 |
# 'edir_account_policy_check = yes' in the ldap module sub-section of |
|
432 |
# the 'modules' section. |
|
433 |
# |
|
434 |
# ldap |
|
435 |
|
|
436 |
# For Exec-Program and Exec-Program-Wait |
|
437 |
exec |
|
438 |
|
|
439 |
# |
|
440 |
# Calculate the various WiMAX keys. In order for this to work, |
|
441 |
# you will need to define the WiMAX NAI, usually via |
|
442 |
# |
|
443 |
# update request { |
|
444 |
# WiMAX-MN-NAI = "%{User-Name}" |
|
445 |
# } |
|
446 |
# |
|
447 |
# If you want various keys to be calculated, you will need to |
|
448 |
# update the reply with "template" values. The module will see |
|
449 |
# this, and replace the template values with the correct ones |
|
450 |
# taken from the cryptographic calculations. e.g. |
|
451 |
# |
|
452 |
# update reply { |
|
453 |
# WiMAX-FA-RK-Key = 0x00 |
|
454 |
# WiMAX-MSK = "%{EAP-MSK}" |
|
455 |
# } |
|
456 |
# |
|
457 |
# You may want to delete the MS-MPPE-*-Keys from the reply, |
|
458 |
# as some WiMAX clients behave badly when those attributes |
|
459 |
# are included. See "raddb/modules/wimax", configuration |
|
460 |
# entry "delete_mppe_keys" for more information. |
|
461 |
# |
|
462 |
# wimax |
|
463 |
|
|
464 |
# If there is a client certificate (EAP-TLS, sometimes PEAP |
|
465 |
# and TTLS), then some attributes are filled out after the |
|
466 |
# certificate verification has been performed. These fields |
|
467 |
# MAY be available during the authentication, or they may be |
|
468 |
# available only in the "post-auth" section. |
|
469 |
# |
|
470 |
# The first set of attributes contains information about the |
|
471 |
# issuing certificate which is being used. The second |
|
472 |
# contains information about the client certificate (if |
|
473 |
# available). |
|
474 |
# |
|
475 |
# update reply { |
|
476 |
# Reply-Message += "%{TLS-Cert-Serial}" |
|
477 |
# Reply-Message += "%{TLS-Cert-Expiration}" |
|
478 |
# Reply-Message += "%{TLS-Cert-Subject}" |
|
479 |
# Reply-Message += "%{TLS-Cert-Issuer}" |
|
480 |
# Reply-Message += "%{TLS-Cert-Common-Name}" |
|
481 |
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" |
|
482 |
# |
|
483 |
# Reply-Message += "%{TLS-Client-Cert-Serial}" |
|
484 |
# Reply-Message += "%{TLS-Client-Cert-Expiration}" |
|
485 |
# Reply-Message += "%{TLS-Client-Cert-Subject}" |
|
486 |
# Reply-Message += "%{TLS-Client-Cert-Issuer}" |
|
487 |
# Reply-Message += "%{TLS-Client-Cert-Common-Name}" |
|
488 |
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" |
|
489 |
# } |
|
490 |
|
|
491 |
# MacSEC requires the use of EAP-Key-Name. However, we don't |
|
492 |
# want to send it for all EAP sessions. Therefore, the EAP |
|
493 |
# modules put required data into the EAP-Session-Id attribute. |
|
494 |
# This attribute is never put into a request or reply packet. |
|
495 |
# |
|
496 |
# Uncomment the next few lines to copy the required data into |
|
497 |
# the EAP-Key-Name attribute |
|
498 |
# if (reply:EAP-Session-Id) { |
|
499 |
# update reply { |
|
500 |
# EAP-Key-Name := "%{reply:EAP-Session-Id}" |
|
501 |
# } |
|
502 |
# } |
|
503 |
|
|
504 |
# If the WiMAX module did it's work, you may want to do more |
|
505 |
# things here, like delete the MS-MPPE-*-Key attributes. |
|
506 |
# |
|
507 |
# if (updated) { |
|
508 |
# update reply { |
|
509 |
# MS-MPPE-Recv-Key !* 0x00 |
|
510 |
# MS-MPPE-Send-Key !* 0x00 |
|
511 |
# } |
|
512 |
# } |
|
513 |
|
|
514 |
# |
|
515 |
# Access-Reject packets are sent through the REJECT sub-section of the |
|
516 |
# post-auth section. |
|
517 |
# |
|
518 |
# Add the ldap module name (or instance) if you have set |
|
519 |
# 'edir_account_policy_check = yes' in the ldap module configuration |
|
520 |
# |
|
521 |
Post-Auth-Type REJECT { |
|
522 |
# log failed authentications in SQL, too. |
|
523 |
# sql |
|
524 |
attr_filter.access_reject |
|
525 |
} |
|
526 |
} |
|
527 |
|
|
528 |
# |
|
529 |
# When the server decides to proxy a request to a home server, |
|
530 |
# the proxied request is first passed through the pre-proxy |
|
531 |
# stage. This stage can re-write the request, or decide to |
|
532 |
# cancel the proxy. |
|
533 |
# |
|
534 |
# Only a few modules currently have this method. |
|
535 |
# |
|
536 |
pre-proxy { |
|
537 |
# attr_rewrite |
|
538 |
|
|
539 |
# Uncomment the following line if you want to change attributes |
|
540 |
# as defined in the preproxy_users file. |
|
541 |
# files |
|
542 |
|
|
543 |
# Uncomment the following line if you want to filter requests |
|
544 |
# sent to remote servers based on the rules defined in the |
|
545 |
# 'attrs.pre-proxy' file. |
|
546 |
# attr_filter.pre-proxy |
|
547 |
|
|
548 |
# If you want to have a log of packets proxied to a home |
|
549 |
# server, un-comment the following line, and the |
|
550 |
# 'detail pre_proxy_log' section, above. |
|
551 |
# pre_proxy_log |
|
552 |
} |
|
553 |
|
|
554 |
# |
|
555 |
# When the server receives a reply to a request it proxied |
|
556 |
# to a home server, the request may be massaged here, in the |
|
557 |
# post-proxy stage. |
|
558 |
# |
|
559 |
post-proxy { |
|
560 |
|
|
561 |
# If you want to have a log of replies from a home server, |
|
562 |
# un-comment the following line, and the 'detail post_proxy_log' |
|
563 |
# section, above. |
|
564 |
# post_proxy_log |
|
565 |
|
|
566 |
# attr_rewrite |
|
567 |
|
|
568 |
# Uncomment the following line if you want to filter replies from |
|
569 |
# remote proxies based on the rules defined in the 'attrs' file. |
|
570 |
# attr_filter.post-proxy |
|
571 |
|
|
572 |
# |
|
573 |
# If you are proxying LEAP, you MUST configure the EAP |
|
574 |
# module, and you MUST list it here, in the post-proxy |
|
575 |
# stage. |
|
576 |
# |
|
577 |
# You MUST also use the 'nostrip' option in the 'realm' |
|
578 |
# configuration. Otherwise, the User-Name attribute |
|
579 |
# in the proxied request will not match the user name |
|
580 |
# hidden inside of the EAP packet, and the end server will |
|
581 |
# reject the EAP request. |
|
582 |
# |
|
583 |
eap |
|
584 |
|
|
585 |
# |
|
586 |
# If the server tries to proxy a request and fails, then the |
|
587 |
# request is processed through the modules in this section. |
|
588 |
# |
|
589 |
# The main use of this section is to permit robust proxying |
|
590 |
# of accounting packets. The server can be configured to |
|
591 |
# proxy accounting packets as part of normal processing. |
|
592 |
# Then, if the home server goes down, accounting packets can |
|
593 |
# be logged to a local "detail" file, for processing with |
|
594 |
# radrelay. When the home server comes back up, radrelay |
|
595 |
# will read the detail file, and send the packets to the |
|
596 |
# home server. |
|
597 |
# |
|
598 |
# With this configuration, the server always responds to |
|
599 |
# Accounting-Requests from the NAS, but only writes |
|
600 |
# accounting packets to disk if the home server is down. |
|
601 |
# |
|
602 |
# Post-Proxy-Type Fail { |
|
603 |
# detail |
|
604 |
# } |
|
605 |
} |
share/radius.ldif | ||
---|---|---|
1 |
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. |
|
2 |
# CRC32 f395ae99 |
|
3 |
dn: cn=radius,cn=schema,cn=config |
|
4 |
objectClass: olcSchemaConfig |
|
5 |
cn: radius |
|
6 |
olcAttributeTypes: {0}( 1.3.6.1.4.1.3317.4.3.1.1 NAME 'radiusArapFeatures' D |
|
7 |
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN |
|
8 |
GLE-VALUE ) |
|
9 |
olcAttributeTypes: {1}( 1.3.6.1.4.1.3317.4.3.1.2 NAME 'radiusArapSecurity' D |
|
10 |
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN |
|
11 |
GLE-VALUE ) |
|
12 |
olcAttributeTypes: {2}( 1.3.6.1.4.1.3317.4.3.1.3 NAME 'radiusArapZoneAccess' |
|
13 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
14 |
INGLE-VALUE ) |
|
15 |
olcAttributeTypes: {3}( 1.3.6.1.4.1.3317.4.3.1.44 NAME 'radiusAuthType' DESC |
|
16 |
'checkItem: Auth-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 |
|
17 |
.115.121.1.26 SINGLE-VALUE ) |
|
18 |
olcAttributeTypes: {4}( 1.3.6.1.4.1.3317.4.3.1.4 NAME 'radiusCallbackId' DES |
|
19 |
C 'replyItem: Callback-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 |
|
20 |
466.115.121.1.26 SINGLE-VALUE ) |
|
21 |
olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' |
|
22 |
DESC 'replyItem: Callback-Number' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 |
|
23 |
.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
24 |
olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId |
|
25 |
' DESC 'checkItem: Called-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1. |
|
26 |
3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
27 |
olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI |
|
28 |
d' DESC 'checkItem: Calling-Station-Id' EQUALITY caseIgnoreIA5Match SYNTAX |
|
29 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
30 |
olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC 're |
|
31 |
plyItem: Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 |
|
32 |
.1.26 ) |
|
33 |
olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres |
|
34 |
s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
35 |
SINGLE-VALUE ) |
|
36 |
olcAttributeTypes: {10}( 1.3.6.1.4.1.3317.4.3.1.9 NAME 'radiusFilterId' DESC |
|
37 |
'replyItem: Filter-Id' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466 |
|
38 |
.115.121.1.26 ) |
|
39 |
olcAttributeTypes: {11}( 1.3.6.1.4.1.3317.4.3.1.10 NAME 'radiusFramedAppleTa |
|
40 |
lkLink' DESC 'replyItem: Framed-AppleTalk-Link' EQUALITY caseIgnoreIA5Match |
|
41 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
42 |
olcAttributeTypes: {12}( 1.3.6.1.4.1.3317.4.3.1.11 NAME 'radiusFramedAppleTa |
|
43 |
lkNetwork' DESC 'replyItem: Framed-AppleTalk-Network' EQUALITY caseIgnoreIA |
|
44 |
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
45 |
olcAttributeTypes: {13}( 1.3.6.1.4.1.3317.4.3.1.12 NAME 'radiusFramedAppleTa |
|
46 |
lkZone' DESC 'replyItem: Framed-AppleTalk-Zone' EQUALITY caseIgnoreIA5Match |
|
47 |
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
48 |
olcAttributeTypes: {14}( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompres |
|
49 |
sion' DESC 'replyItem: Framed-Compression' EQUALITY caseIgnoreIA5Match SYNT |
|
50 |
AX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
51 |
olcAttributeTypes: {15}( 1.3.6.1.4.1.3317.4.3.1.14 NAME 'radiusFramedIPAddre |
|
52 |
ss' DESC 'replyItem: Framed-IP-Address' EQUALITY caseIgnoreIA5Match SYNTAX |
|
53 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
54 |
olcAttributeTypes: {16}( 1.3.6.1.4.1.3317.4.3.1.15 NAME 'radiusFramedIPNetma |
|
55 |
sk' DESC 'replyItem: Framed-IP-Netmask' EQUALITY caseIgnoreIA5Match SYNTAX |
|
56 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
57 |
olcAttributeTypes: {17}( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetw |
|
58 |
ork' DESC 'replyItem: Framed-IPX-Network' EQUALITY caseIgnoreIA5Match SYNTA |
|
59 |
X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
60 |
olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE |
|
61 |
SC 'replyItem: Framed-MTU' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 |
|
62 |
466.115.121.1.26 SINGLE-VALUE ) |
|
63 |
olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco |
|
64 |
l' DESC 'replyItem: Framed-Protocol' EQUALITY caseIgnoreIA5Match SYNTAX 1.3 |
|
65 |
.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
66 |
olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' |
|
67 |
DESC 'replyItem: Framed-Route' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
|
68 |
.1.1466.115.121.1.26 ) |
|
69 |
olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting |
|
70 |
' DESC 'replyItem: Framed-Routing' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 |
|
71 |
.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
72 |
olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE |
|
73 |
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
74 |
olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' |
|
75 |
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA |
|
76 |
LUE ) |
|
77 |
olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName |
|
78 |
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
79 |
) |
|
80 |
olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' |
|
81 |
DESC 'replyItem: Idle-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
|
82 |
.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
83 |
olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' |
|
84 |
DESC 'replyItem: Login-IP-Host' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1. |
|
85 |
4.1.1466.115.121.1.26 ) |
|
86 |
olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup |
|
87 |
' DESC 'replyItem: Login-LAT-Group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3. |
|
88 |
6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
89 |
olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' |
|
90 |
DESC 'replyItem: Login-LAT-Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. |
|
91 |
1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
92 |
olcAttributeTypes: {29}( 1.3.6.1.4.1.3317.4.3.1.25 NAME 'radiusLoginLATPort' |
|
93 |
DESC 'replyItem: Login-LAT-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. |
|
94 |
1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
95 |
olcAttributeTypes: {30}( 1.3.6.1.4.1.3317.4.3.1.26 NAME 'radiusLoginLATServi |
|
96 |
ce' DESC 'replyItem: Login-LAT-Service' EQUALITY caseIgnoreIA5Match SYNTAX |
|
97 |
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
98 |
olcAttributeTypes: {31}( 1.3.6.1.4.1.3317.4.3.1.27 NAME 'radiusLoginService' |
|
99 |
DESC 'replyItem: Login-Service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1 |
|
100 |
.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
101 |
olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' |
|
102 |
DESC 'replyItem: Login-TCP-Port' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6. |
|
103 |
1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
104 |
olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry |
|
105 |
' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
106 |
SINGLE-VALUE ) |
|
107 |
olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE |
|
108 |
SC 'replyItem: Port-Limit' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1 |
|
109 |
466.115.121.1.26 SINGLE-VALUE ) |
|
110 |
olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE |
|
111 |
SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 |
|
112 |
SINGLE-VALUE ) |
|
113 |
olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC |
|
114 |
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- |
|
115 |
VALUE ) |
|
116 |
olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' |
|
117 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
118 |
INGLE-VALUE ) |
|
119 |
olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe |
|
120 |
alm' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|
121 |
26 SINGLE-VALUE ) |
|
122 |
olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC ' |
|
123 |
' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V |
|
124 |
ALUE ) |
|
125 |
olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' |
|
126 |
DESC 'replyItem: Service-Type' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4 |
|
127 |
.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
128 |
olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou |
|
129 |
t' DESC 'replyItem: Session-Timeout' EQUALITY caseIgnoreIA5Match SYNTAX 1.3 |
|
130 |
.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
131 |
olcAttributeTypes: {42}( 1.3.6.1.4.1.3317.4.3.1.34 NAME 'radiusTerminationAc |
|
132 |
tion' DESC 'replyItem: Termination-Action' EQUALITY caseIgnoreIA5Match SYNT |
|
133 |
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|
134 |
olcAttributeTypes: {43}( 1.3.6.1.4.1.3317.4.3.1.35 NAME 'radiusTunnelAssignm |
|
135 |
entId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. |
|
136 |
1.26 ) |
|
137 |
olcAttributeTypes: {44}( 1.3.6.1.4.1.3317.4.3.1.36 NAME 'radiusTunnelMediumT |
|
138 |
ype' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|
139 |
26 ) |
|
140 |
olcAttributeTypes: {45}( 1.3.6.1.4.1.3317.4.3.1.37 NAME 'radiusTunnelPasswor |
|
141 |
d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 |
|
142 |
SINGLE-VALUE ) |
|
143 |
olcAttributeTypes: {46}( 1.3.6.1.4.1.3317.4.3.1.38 NAME 'radiusTunnelPrefere |
|
144 |
nce' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|
145 |
26 ) |
|
146 |
olcAttributeTypes: {47}( 1.3.6.1.4.1.3317.4.3.1.39 NAME 'radiusTunnelPrivate |
|
147 |
GroupId' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 |
|
148 |
1.1.26 ) |
|
149 |
olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE |
|
150 |
ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 |
|
151 |
1.1.26 ) |
|
152 |
olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D |
|
153 |
ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
154 |
olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' |
|
155 |
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
|
156 |
olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE |
|
157 |
ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 |
|
158 |
1.1.26 ) |
|
159 |
olcAttributeTypes: {52}( 1.3.6.1.4.1.3317.4.3.1.53 NAME 'radiusSimultaneousU |
|
160 |
se' DESC 'checkItem: Simultaneous-Use' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 |
|
161 |
SINGLE-VALUE ) |
|
162 |
olcAttributeTypes: {53}( 1.3.6.1.4.1.3317.4.3.1.54 NAME 'radiusLoginTime' DE |
|
163 |
SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING |
|
164 |
LE-VALUE ) |
|
165 |
olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' |
|
166 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
167 |
INGLE-VALUE ) |
|
168 |
olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName |
|
169 |
' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|
170 |
olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC |
|
171 |
'' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- |
|
172 |
VALUE ) |
|
173 |
olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D |
|
174 |
ESC 'checkItem: Expiration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1. |
|
175 |
1466.115.121.1.26 SINGLE-VALUE ) |
|
176 |
olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE |
|
177 |
SC 'checkItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 |
|
178 |
66.115.121.1.26 ) |
|
179 |
olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE |
|
180 |
SC 'replyItem: $GENERIC$' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 |
|
181 |
66.115.121.1.26 ) |
|
182 |
olcAttributeTypes: {60}( 1.3.6.1.4.1.3317.4.3.1.61 NAME 'radiusNASIpAddress' |
|
183 |
DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S |
|
184 |
INGLE-VALUE ) |
|
185 |
olcAttributeTypes: {61}( 1.3.6.1.4.1.3317.4.3.1.62 NAME 'radiusReplyMessage' |
|
186 |
DESC 'replyItem: Reply-Message' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1 |
|
187 |
.4.1.1466.115.121.1.26 ) |
|
188 |
olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' |
|
189 |
SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ |
|
190 |
radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu |
|
191 |
mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu |
|
192 |
sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame |
|
193 |
dAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ r |
|
194 |
adiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ rad |
|
195 |
iusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ r |
|
196 |
adiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupNam |
|
197 |
e $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGr |
|
198 |
oup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ rad |
|
199 |
iusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetr |
|
200 |
y $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ rad |
|
201 |
iusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStri |
|
202 |
pUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusPr |
|
203 |
ofileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMe |
|
204 |
diumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPriv |
|
205 |
ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate |
|
206 |
gory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ r |
|
207 |
adiusReplyMessage ) ) |
|
208 |
olcObjectClasses: {1}( 1.3.6.1.4.1.3317.4.3.2.2 NAME 'radiusObjectProfile' D |
|
209 |
ESC 'A Container Objectclass to be used for creating radius profile object' |
|
210 |
SUP top STRUCTURAL MUST cn MAY ( uid $ userPassword $ description ) ) |
u-auth.install | ||
---|---|---|
1 |
debian/u-auth-manage /usr/bin |
|
2 |
debian/settings.py /etc/u-auth |
|
3 |
debian/debian_config.py /usr/lib/u-auth |
|
4 |
debian/schema /usr/lib/u-auth |
|
1 |
debian/u-auth-manage /usr/bin |
|
2 |
debian/lib/u-auth /usr/lib/u-auth/ |
|
3 |
debian/lib/setup-radius /usr/lib/u-auth/ |
|
4 |
debian/lib/setup-slapd /usr/lib/u-auth/ |
|
5 |
debian/lib/reset-slapd /usr/lib/u-auth/ |
|
6 |
debian/share/config.ldif /usr/share/u-auth |
|
7 |
debian/share/radius-default.conf /usr/share/u-auth |
|
8 |
debian/share/radius.ldif /usr/share/u-auth |
|
9 |
debian/settings.py /etc/u-auth |
|
10 |
debian/debian_config.py /usr/lib/u-auth |
u-auth.postinst | ||
---|---|---|
29 | 29 |
chown root:$GROUP $SECRET_FILE |
30 | 30 |
chmod 0440 $SECRET_FILE |
31 | 31 |
fi |
32 |
|
|
33 |
/usr/lib/u-auth setup-slapd |
|
34 |
/usr/lib/u-auth setup-radius |
|
32 | 35 |
;; |
33 | 36 |
|
34 | 37 |
abort-upgrade|abort-remove|abort-deconfigure) |
... | ... | |
42 | 45 |
|
43 | 46 |
#DEBHELPER# |
44 | 47 |
|
45 |
exit 0 |
|
48 |
exit 0 |
Also available in: Unified diff
ldap and radius manage scripts